02-27-2018 02:00 AM - edited 02-21-2020 07:27 AM
Recently we decided at the office to upgrade our ASA firewalls to a newer version, up from version 7.2(2). We have 5 external IPs, x.x.x.13 up to x.x.x.17, these are all linked to different servers (http, https). Only the x.x.x.13 address is configured on the outside interface. Via NAT static rules traffic is redirected to the correct servers.
For our phones (SIP) we use a server hosted at a third party, and even though there does not seem to be any specific configuration in our 7.2(2) ASA, it works. I reckon this is because of the inspect SIP part of the configuration.
We had two ways of upgrading:
1) Upgrade firmware and let the upgrade process the configuration and update it to match the new firmware version.
2) Upgrade firmware, reset to defaults, start from scratch with the configuration.
The first path lead to a partially working configuration. There were warnings about interfaces looping on themselves and our SIP phones did not work properly anymore (could not receive any calls). Further more, someone had once messed around with the configuration of WebVPN and polluted the configuration with lots of unnecessary things.
The second path had a similar issue with SIP and initially with port forwards as well. Under 7.2(2) there was a NAT rule defined, a dynamic policy (source any destination any) for the inside and outside interfaces. This rule is what triggered the warnings for the first path and I was unsure how to recreate it properly for the second path.
My questions are as follows:
A) Does our setup with multiple IP addresses, only one configured on an outside interface, forwards to internal systems via NAT etc. classify as NAT, or PAT, or something else? This would help me in figuring out the right configuration.
B) What is the purpose of the dynamic policy? And how is this recreated in a post 8.3 configuration?
C) What do you need in a post 8.3 configuration to make SIP work? I know the IP of the external SIP server, do I need to add this to an ACL?
I do have some experience with setting up ASAs via the CLI, but I also use ASDM for some other things. Either way help would be appreciated, be it via CLI commands or ASDM instructions.
02-27-2018 03:46 AM
A) the number of public IPs available for NAT/PAT does not dictate if you have NAT or PAT, it depends on the polices you set up
NAT is mapping IPs one-to-one and keeps port intact
PAT maps multiple inside addresses to one IP using different port numbers
B) Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html
config example:
PRE 8.3:
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 x.x.x.13
POST 8.3:
object network obj-192.168.0.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic x.x.x.13
you can find a lot more examples at:
https://supportforums.cisco.com/t5/security-documents/asa-pre-8-3-to-8-3-nat-configuration-examples/ta-p/3116375
C) It does depend on your config, if you have acls on your higher security interface you will need to allow SIP traffic and because it is an external provider I believe you need to NAT in the public IP that they are expecting.
HTH
Bogdan
02-27-2018 04:43 AM - edited 02-27-2018 04:47 AM
Regarding your answer for B, I am running into some problems.
When I enter the commands as you provided them, I notice 192.168.1.0 instead of 192.168.0.0. Is this intentional?
Also when I enter: nat (inside,outside) dynamic x.x.x.13
I get an error: Address x.x.x.13 overlaps with outside interface address.
after which the ASA refuses to use it in the NAT configuration.
If I understand it correctly, I should change that line into: nat (inside,outside) dynamic interface
or is that assumption false?
02-27-2018 06:02 AM - edited 02-27-2018 06:08 AM
You are correct, I mistyped the subnet.
If you have the IP configured on the interface you can use the interface keyword.
PRE 8.3:
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 x.x.x.13
POST 8.3:
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
One more thing I wanted to mention, a great tool to verify your NAT config is packet-tracer.
For example if you run packet-tracer input inside icmp 192.168.0.10 8 0 8.8.8.8
You should receive at the NAT phase something like:
Additional Information:
Dynamic translate 192.168.0.10/0 to x.x.x.13/32345
02-27-2018 06:26 AM
Using the information you provided and the list of required port forwards, I have put together the following configuration (show running-config). I've left out the actual public IPs (x.x.x.13 etc) and the VOIP server IP (y.y.y.130). Do you see anything that might cause issues in here?
The tricky thing is I cannot easily test this live because of our USA office (we are located in Europe) also uses our servers. The only time I can test this without consequences, is between 12AM and 8AM, during which I am not at the office.
ASA Version 9.2(4)25 ! hostname Sylvanas names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description Fiber nameif inside security-level 100 ip address 192.168.0.253 255.255.255.0 ! interface Vlan2 description LAN nameif outside security-level 0 ip address x.x.x.13 255.255.255.248 ! interface Vlan12 description ADSL nameif backup security-level 0 ip address 192.168.2.200 255.255.255.0 ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network https_14 host 192.168.0.2 object network http_14 host 192.168.0.14 object network http_15 host 192.168.0.16 object network https_15 host 192.168.0.16 object network http_16 host 192.168.0.6 object network https_16 host 192.168.0.6 object network https_17 host 192.168.0.17 access-list outside_access_in extended permit tcp any object http_14 eq www access-list outside_access_in extended permit tcp any object https_14 eq https access-list outside_access_in extended permit tcp any object http_15 eq www access-list outside_access_in extended permit tcp any object https_15 eq https access-list outside_access_in extended permit tcp any object http_16 eq www access-list outside_access_in extended permit tcp any object https_16 eq https access-list outside_access_in extended permit tcp any object https_17 eq https access-list outside_access_in extended permit tcp host y.y.y.130 eq sip any eq sip pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu backup 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (inside,outside) dynamic interface object network obj-192.168.0.0 nat (inside,outside) dynamic interface object network https_14 nat (inside,outside) static x.x.x.14 service tcp https https object network http_14 nat (inside,outside) static x.x.x.14 service tcp www www object network http_15 nat (inside,outside) static x.x.x.15 service tcp www www object network https_15 nat (inside,outside) static x.x.x.15 service tcp https https object network http_16 nat (inside,outside) static x.x.x.16 service tcp www www object network https_16 nat (inside,outside) static x.x.x.16 service tcp https https object network https_17 nat (inside,outside) static x.x.x.17 service tcp https https access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.18 1 track 1 route backup 0.0.0.0 0.0.0.0 192.168.2.254 254 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact sla monitor 123 type echo protocol ipIcmpEcho x.x.x.18 interface outside num-packets 3 frequency 10 sla monitor schedule 123 life forever start-time now crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy ! track 1 rtr 123 reachability telnet timeout 5 no ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.0.20-192.168.0.147 inside dhcpd dns 192.168.0.2 8.8.8.8 interface inside dhcpd domain mydomain.local interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous
02-27-2018 07:48 AM
I have no way of knowing if the config is going to work or not, because I do not know what the requirements are, but I do not see anything that stands out in the config.
Considering you are doing a remote upgrade I would make sure the ASA is reachable after the upgrade:
- add no shutdown to the interface config
- temporary permit access from specific IPs to the public IP
- allow ssh, asdm can sometimes be unreliable especially if you are doing an upgrade
- prepare for the worse case scenario in which the ASA is not reachable anymore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide